FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Hide PHP file extension





rjraaz
http://roshanbh.com.np/2008/01/hiding-php-file-extension.html wrote:
Do you want to hide your web site’s server script identity ? If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.

Here is a small technique for you, you can use .html or .asp file to work as a php file i.e. use .asp or .html extension instead of .php. You just need to create a .htaccess file and put the following code in the .htaccess file. Remember that the .htaccess file should be placed in the root folder of your website.


# Make PHP code look like asp or perl code
AddType application/x-httpd-php .asp .pl

if you place the the above code in the .htaccess file then you can use contact.asp as the name of the file. Now a visitor thought that it is a ASP file but this file contains the codes of PHP.

You can put the following code in .htaccess file to work .htm or .html file as PHP file.

# Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html


Helios' note:
Do I want to hide my web site’s server script identity ?
NO! I want you to use quote tags and state the source of the copy-pasted material. Thank you!!!
Fire Boar
rjraaz wrote:
Do you want to hide your web site’s server script identity ? If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.


Only the most dim-witted cracker would be foiled by such a technique. If your PHP code is insecure it can be cracked no matter what extension you use.

EDIT: If any.
Hogwarts
Why have a file extension to begin with? What benefit is there in it?
jmraker
If I ever did that then everyone would assume:
    . I used asp and not php
    . I knew asp
    . I should be using asp
    . I shouldn't be using php
    . asp is better than php if I'm going to pull such shenanigans

Since you can pick any file extension, don't pick one that hurts php's street cred. Make up your own, you never know who will go to your site, see the .asp and decide to learn asp
AftershockVibe
Fire Boar wrote:
Only the most dim-witted cracker would be foiled by such a technique. If your PHP code is insecure it can be cracked no matter what extension you use.

EDIT: If any.


Gotta agree with Fireboar on this one. And here's why:

A tonne of information, including what server-side languages are installed on a server are sent with the HTTP headers every time a page is requested.
Code:
X-Powered-By:   PHP/5.2.13


Have a look for yourself at http://web-sniffer.net/ .

Type in "http://www.frihost.com/forums/" and see what you get. Quite a lot is the answer so, hiding your file extension is pointless. I suppose you could disable sending this in Apache as well, but that's still just an attempt to hide although I suppose it might prevent opportunist scripts. They are more likely to be looking for vulnerable CMS or forum installations or though.[/code]
imagefree
If you really want to make increase security, hidding the extension may be an option, but its not all what you have to do. Perhaps your applications' inner security is the most important thing.

People usually hide extension because extensions are useless when you can do without them with the help of .htaccess file. URLs look beautiful without exts and if you can, why shouldnt you!

PHP has a big base, and i dont think that some cracker will find its vulneribility and crack your site. Although vulneribilities in older versions of php/Apache or any software/CMS you use may invite malicious people if they get to know (may be crawling the web randomly to find weak holes, they reach you) that you are using older versions. Now this is the situation where providing least or no info of the inside is vital.

To hide, you need to be intellegent. Hackers have a number of ways to find what you are using on your server. For example if you leave default error pages, Apache outputs Product Token that lets world know everything about the installations (although you can limit the info to be published, but you can't remove the product info altogather). Also try to access a URL like:

Code:
http://www.frihost.com/forums/.ht


If it produces forbidden, then there is apache installed on the server. (Apache config file can help you change settings about this. By default, apache produces 403 Forbidden error if someone attempts to access a .ht* file and the .ht* file is already there. If file is not there, 404 Not Found error will be produced). To deceive, change related configuration (at your own risk).

Also as said by above person, X-Powered-By header also reveals the Scripting Language used (unless disabled. You can disable it in the php.ini file if you are using php and want to keep it secret). You can even send custom/fake X-Powered-By header to deceive others. This can easily be done by disabling X-Powered-By the header first in php.ini file and then using php script to output X-Powered-By header that tells the world that you are using some other scripting language (like asp. I know asp produces X-Powered-By header, but i am not sure about others).
Related topics
Cron jobs - running a php file
[PHP doubt]Knowing the directory location of PHP file
FriHost - Google Rankings
is there any way to trigger a .php file without refreshing?
Uploading a .php file! NEED HELP thanks
SSI problems
User Viewing A PHP File
send variable from php tp php file
Urgent - Retrieving File Extension From A String.
Limiting php file functions with .htaccess
Remote php file access and reading
including javascript in php file
file extension SYS
[TuT]JOOMLA Installation Guide(Easiest Way)
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.